# Production Operations Policy

Last updated: March 2, 2026

## Purpose

Prevent destructive production actions that can cause irreversible data loss.

## Hard bans in production

Never run these commands against production:

1. `docker volume rm skymoney_pgdata`
2. `docker compose down -v` / `docker-compose down -v`
3. `prisma migrate reset`
4. `prisma migrate dev`
5. `prisma db push --accept-data-loss`

## Allowed migration path

1. `prisma migrate deploy` only.
2. Mandatory pre-migration backup (`scripts/backup.sh`).
3. DB target validation (`scripts/validate-prod-db-target.sh`).
4. Volume guard (`scripts/guard-prod-volume.sh`).

## Operator controls

1. Prefer constrained sudoers permissions over broad `sudo docker`.
2. Keep all manual production commands logged in an incident/change ticket.
3. Require peer confirmation before any storage/volume action.

## Intentional rebuild exception

Only for explicit rebuild events:

1. Set `ALLOW_EMPTY_PROD_VOLUME=1` for one deploy run.
2. Record reason and approver.
3. Reset `ALLOW_EMPTY_PROD_VOLUME=0` immediately afterward.